Even when PCs are locked down, modems and routers can still be compromised.

Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said.

The attack, described late last week during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing statistics provided by Brazil's Computer Emergency Response Team. The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.

"This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems," Assolini wrote in a blog post published on Monday morning. "This enabled the attack to reach network devices belonging to millions of individual and business users, spreading malware and engineering malicious redirects over the course of several months."

Assolini said the mass attack was the result of a "perfect storm" brought on by the inaction of a variety of key players, including ISPs, modem manufacturers, and the Brazilian governmental agency that approves network devices, but failed to test any of the modems for security.

It remains unclear which modem manufacturers and models are susceptible to the attacks. Assolini said a vulnerability disclosed in early 2011 appears to be caused by a chipset driver included with modems that use hardware from communications chip provider Broadcom. It allows a CSRF attack to take control of the administration panel and capture the password set on vulnerable devices. Assolini doesn't know precisely when, but at some point attackers began exploiting the vulnerability on millions of Brazilian modems. In addition to pointing the devices to malicious DNS servers, the attackers also changed the device passwords so it would be harder for victims to change the malicious settings.

The attacks were recorded on modems from six manufacturers, five of whom are widely marketed in Brazil and several that are among the most popular. In an e-mail, a Kaspersky spokesman said the firm isn't publishing the affected manufacturers or models at this time.

"The negligence of the manufacturers, the neglect of the ISPs and ignorance of the official government agencies create a 'perfect storm,' enabling cybercriminals to attack at will," Assolini wrote.

People who connected to the Internet using a compromised modem were routed to imposter websites when they attempted to visit sites such as Google, Facebook, and Orkut. In some cases, the malicious sites exploited vulnerabilities in Oracle's ubiquitous Java software framework to silently install banking fraud malware when the booby-trapped websites were accessed. In other cases, users were told they should install a software plug-in so their computers would be able to take advantage of recent changes made to the sites. Attacks were recorded on all major Brazilian ISPs, with some providers seeing about 50 percent of their users affected, Assolini said.

One of the 40 DNS servers used in the attack that was later accessed by authorities showed more than 14,000 victims had connected to it. During his presentation, Assolini displayed an Internet chat in which one of the hackers claimed to earn "more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes," according to a write-up by Graham Cluley, a senior technology consultant at antivirus provider Sophos.

With an attack this effective and easy to exploit, it wouldn't be surprising to learn the countries other than Brazil have also been targeted. Last year Kaspersky Lab researchers reported a similar attack hitting Mexico.

The mass attack is concerning because it successfully targeted devices few of us spend much time trying to secure. With so much emphasis spent on locking down computers, it's worth remembering that the modems and routers can also be exploited to steal banking passwords and other online assets. The vulnerability is even more alarming since the list of affected manufacturers and models is still unknown. Users who want to protect themselves should make sure their modems are using the latest available firmware, although based on what we know now, there's no guarantee the latest release has been patched against the exploited CSRF flaw.

I wouldn't even know what to do if my modem was on a list of vulnerable modems. It doesn't give me anything more than a status screen when I connect to it and it didn't come with anything other than a diagram showing me what to plug into each port.

Maybe the manufacturer website has a real manual and there's some hidden admin menus I can access. But in my experience with modems, they're really sparse on configurable features (at least on the user side).

Wiping your cookies and clearing the login credential cache after configuring a modem will eliminate the threat.

Wiping the credential cache is difficult in some browsers (IE, of course). In my experience the cache is relatively short lived, if you haven't logged in to the modem in a long time you are probably safe.

In the future only use incognito or private browsing mode, and do not use the same browsing session for anything else.

Wiping your cookies and clearing the login credential cache after configuring a modem will eliminate the threat.

In the future only use incognito or private browsing mode, and do not use the same browsing session for anything else.

Does this apply to DSL modems only?

I am not sure if I am allowed to custom configure my cable modem.

CSRF attacks are not unique to dsl modems, but if you have never accessed a configuration screen you are safe. Any web based application can be vulnerable. My instructions should protect you in all cases.

DSL modems frequently use PPPoE which uses a user name/password pair to validate you and assign you a IP address/gateway/DNS server. The hackers are modifing that firmware to send your username/password to their server.

Cable modems most often use your MAC address to download a configuration file with IP address/gateway/DNS server.That would be a different man in the middle attack, requiring them to be physically plugged into your local Cable ISP as MAC addresses are not preserved across routers.

Quote:

displayed an Internet chat in which one of the hackers claimed to earn "more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes,"

One way to avoid this problem is to not use DHCP. Manually configure your DNS servers as well. It avoids some of the attacks by not allowing your system to be redirected. My physical firewall sees at least 1000 probes an hour. Amazing how many auto routines are looking for a way into our systems!

This shows the need for third party firmware so users aren't helplessly dependent on manufacturers and ISPs that have a long track record of disregarding security or in fact creating it to be insecure.

Wiping your cookies and clearing the login credential cache after configuring a modem will eliminate the threat.

Wiping the credential cache is difficult in some browsers (IE, of course). In my experience the cache is relatively short lived, if you haven't logged in to the modem in a long time you are probably safe.

In the future only use incognito or private browsing mode, and do not use the same browsing session for anything else.

Er, NO!

Clearing your cache will not help you keep your modem from being compromised, and if you've been redirected to a malicious DNS, no amount of incognito modes will keep you from entering in your credentials in a fake Gmail...

You, sir, are dangerous.

It's really hard to say what steps will protect you from an undisclosed vulnerability, but usually vulnerabilities on the modem generally are basic idiocy, like an undocumented admin/admin account, the admin site left open to the ISP network side, etc. Things that the customer can't fix, it needs a firmware update to fix...

Why does Kaspersky hide the IP addresses the criminals are using for the rogue DNS servers? They carefully X'd it out or redacted it everywhere. The only people that impacts are the other security professionals who could actually use the information for an audit.

Wiping your cookies and clearing the login credential cache after configuring a modem will eliminate the threat.

Wiping the credential cache is difficult in some browsers (IE, of course). In my experience the cache is relatively short lived, if you haven't logged in to the modem in a long time you are probably safe.

In the future only use incognito or private browsing mode, and do not use the same browsing session for anything else.

Er, NO!

Clearing your cache will not help you keep your modem from being compromised, and if you've been redirected to a malicious DNS, no amount of incognito modes will keep you from entering in your credentials in a fake Gmail...

You, sir, are dangerous.

It's really hard to say what steps will protect you from an undisclosed vulnerability, but usually vulnerabilities on the modem generally are basic idiocy, like an undocumented admin/admin account, the admin site left open to the ISP network side, etc. Things that the customer can't fix, it needs a firmware update to fix...

Edit: probably just feeding trolls here...

I was so confused by that suggestion. It made me wonder if I misinterpreted the article. "Was this a PC attack or modem attack?" Also, the word "modem" is used kind of liberally. It sounds like this was an attack on a gateway box that does routing and DHCP. That kind of equipment is more than a modem in a strict sense.

I feel I'm missing something important here. Some serious social engineering would be needed to execute a CSRF against a DSL modem, surely? Most people wouldn't even know how to log into their modem with a browser; once set up, the modem is that thing in the corner they reboot once in a while.

I can see placing a link to 192.168.0.1 or similar on a page, but you're still banking on the user actually logging into the modem.

This shows the need for third party firmware so users aren't helplessly dependent on manufacturers and ISPs that have a long track record of disregarding security or in fact creating it to be insecure.

Or a long history of those who "hack" their modems to get a higher grade of service.

Along with cable modem hacking, this DSL modem hacking is a good demonstration of why it is imperative that We The Peons must fight against any big media attempts to make us legally liable for misuse of our internet connections. We average internet subscribers must not be put in a position where we are held accountable for firmware vulnerabilities that we know little or nothing about, and which are usually beyond our control.

Can you imagine your cheap modem+router becoming some hacker's self-contained proxy server? And who knows what vulnerabilities might exist in devices further out in the network where we end-subscribers are explicitly without control or access? With pressures like the new laws in Japan criminalizing downloading, the motivation to exploit these obscure networking devices will only increase, and when exploits are created, they will spread globally.

An IP or MAC address must never be used as proof of personal identity.

I feel I'm missing something important here. Some serious social engineering would be needed to execute a CSRF against a DSL modem, surely? Most people wouldn't even know how to log into their modem with a browser; once set up, the modem is that thing in the corner they reboot once in a while.

I can see placing a link to 192.168.0.1 or similar on a page, but you're still banking on the user actually logging into the modem.

Or am I getting this backwards somehow?

Maybe all done in Javascript? The CSRF just being used to get onto a page that the user will likely be visiting anyway?

Ahh, looking at the advisory, it seems like a standard default username/password attack.

Are modem makers really still doing this?

I don't think so. They say here that the attack works against any box.

Quote:

Even if you have a strong password configured on the device, the flaw allows an attacker to access the control panel, capture the password, log into the device and make changes.

The exploit exposes the credentials to the device. I don't know if some basic configurations would break this exploit or not. Like "no management from the WAN interface." It seems like they were sending something to port 80. Turn off port 80 on the WAN side and you're safe?

The exploit exposes the credentials to the device. I don't know if some basic configurations would break this exploit or not. Like "no management from the WAN interface." It seems like they were sending something to port 80. Turn off port 80 on the WAN side and you're safe?

Hmm, yeah I misread the first page I looked at. Well that's some pretty dozy work by whoever wrote that cgi. Thanks for the clarification.

Looking at it again then, no, turning off WAN access wouldn't help necessarily. Any device that was LAN connected inside the local subnet would able to issue a session-less password reset against the device. Which is a mind-numbingly stupid error.

Wiping your cookies and clearing the login credential cache after configuring a modem will eliminate the threat.

Wiping the credential cache is difficult in some browsers (IE, of course). In my experience the cache is relatively short lived, if you haven't logged in to the modem in a long time you are probably safe.

In the future only use incognito or private browsing mode, and do not use the same browsing session for anything else.

Er, NO!

Clearing your cache will not help you keep your modem from being compromised, and if you've been redirected to a malicious DNS, no amount of incognito modes will keep you from entering in your credentials in a fake Gmail...

You, sir, are dangerous.

It's really hard to say what steps will protect you from an undisclosed vulnerability, but usually vulnerabilities on the modem generally are basic idiocy, like an undocumented admin/admin account, the admin site left open to the ISP network side, etc. Things that the customer can't fix, it needs a firmware update to fix...

Edit: probably just feeding trolls here...

The vulnerability was disclosed, it is a CSRF (cross-site request forgery.) That is a very specific type of attack where a users is tricked in to clicking a malicious link that points to a web site that a user has previously visited. When a user clicks such a link all login credentials and cookies are transmitted even if the link originated on another website.

Image you had a link "lol cats" pointing to "yourbank.com/accounts/transfer/5000/toMike", if the banking app doesn't have CSRF protection it has no idea the request originated from another server. If you are currently logged in to the bank, you just have me $5000.

CSRF are always limited to web sites where you have already been authenticated. If you are not authenticated there is no risk.

The vulnerability was disclosed, it is a CSRF (cross-site request forgery.) That is a very specific type of attack where a users is tricked in to clicking a malicious link that points to a web site that a user has previously visited. When a user clicks such a link all login credentials and cookies are transmitted even if the link originated on another website.

Image you had a link "lol cats" pointing to "yourbank.com/accounts/transfer/5000/toMike", if the banking app doesn't have CSRF protection it has no idea the request originated from another server. If you are currently logged in to the bank, you just have me $5000.

CSRF are always limited to web sites where you have already been authenticated. If you are not authenticated there is no risk.

OK, just spent some quality time with wikipedia, and went and looked at at the vulnerability link, and you're right.

Wiping your cookies and clearing the login credential cache after configuring a modem will eliminate the threat.

Wiping the credential cache is difficult in some browsers (IE, of course). In my experience the cache is relatively short lived, if you haven't logged in to the modem in a long time you are probably safe.

In the future only use incognito or private browsing mode, and do not use the same browsing session for anything else.

Er, NO!

Clearing your cache will not help you keep your modem from being compromised, and if you've been redirected to a malicious DNS, no amount of incognito modes will keep you from entering in your credentials in a fake Gmail...

You, sir, are dangerous.

It's really hard to say what steps will protect you from an undisclosed vulnerability, but usually vulnerabilities on the modem generally are basic idiocy, like an undocumented admin/admin account, the admin site left open to the ISP network side, etc. Things that the customer can't fix, it needs a firmware update to fix...

Edit: probably just feeding trolls here...

I was so confused by that suggestion. It made me wonder if I misinterpreted the article. "Was this a PC attack or modem attack?" Also, the word "modem" is used kind of liberally. It sounds like this was an attack on a gateway box that does routing and DHCP. That kind of equipment is more than a modem in a strict sense.

Many modems have web configuration interfaces. If a web page contains a malicious link pointing to the web address of the modem, clicking it could reconfigure the modem. From the modems perspective it would be no different than if you logged in and changed the setting yourself.

One way to avoid this problem is to not use DHCP. Manually configure your DNS servers as well. It avoids some of the attacks by not allowing your system to be redirected. My physical firewall sees at least 1000 probes an hour. Amazing how many auto routines are looking for a way into our systems!

No can do. Some, if not most, ISP ToU contracts (Comcast does for certain) state quite specifically that you are not allowed to specify an IP address, that they will provide you one. In other words, you MUST use DHCP.

DSL modems frequently use PPPoE which uses a user name/password pair to validate you and assign you a IP address/gateway/DNS server. The hackers are modifing that firmware to send your username/password to their server.

Cable modems most often use your MAC address to download a configuration file with IP address/gateway/DNS server.That would be a different man in the middle attack, requiring them to be physically plugged into your local Cable ISP as MAC addresses are not preserved across routers.

Quote:

displayed an Internet chat in which one of the hackers claimed to earn "more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes,"

Hookers and Blow that makes it a real attack.

Nope, they are attacking DSL routers because they are ubiquitous(handed out en mass by ISPs, as opposed to cable which only hands out the modem), and often have remote access turned on by lazy DSL providers for remote troubleshooting with a default password. All the hackers had to do was write a simple script to edit the routers to point to compromised DNS routers under their control.

Wiping your cookies and clearing the login credential cache after configuring a modem will eliminate the threat.

Wiping the credential cache is difficult in some browsers (IE, of course). In my experience the cache is relatively short lived, if you haven't logged in to the modem in a long time you are probably safe.

In the future only use incognito or private browsing mode, and do not use the same browsing session for anything else.

Er, NO!

Clearing your cache will not help you keep your modem from being compromised, and if you've been redirected to a malicious DNS, no amount of incognito modes will keep you from entering in your credentials in a fake Gmail...

You, sir, are dangerous.

It's really hard to say what steps will protect you from an undisclosed vulnerability, but usually vulnerabilities on the modem generally are basic idiocy, like an undocumented admin/admin account, the admin site left open to the ISP network side, etc. Things that the customer can't fix, it needs a firmware update to fix...

Edit: probably just feeding trolls here...

I was so confused by that suggestion. It made me wonder if I misinterpreted the article. "Was this a PC attack or modem attack?" Also, the word "modem" is used kind of liberally. It sounds like this was an attack on a gateway box that does routing and DHCP. That kind of equipment is more than a modem in a strict sense.

Many modems have web configuration interfaces. If a web page contains a malicious link pointing to the web address of the modem, clicking it could reconfigure the modem. From the modems perspective it would be no different than if you logged in and changed the setting yourself.

This requires access to the victim PC before the exploit can take place. Chicken and egg. I'm reading that they were breaking routers to get to PCs.

The mass attack is concerning because it successfully targeted devices few of us spend much time trying to secure.

Except that neither DNS nor IP were designed to be secure. This attack is concerning because it demonstrates the failure in practice of the encryption and server authentication protocols (SSL and TLS under the current CA regime) designed to protect users against this sort of threat, and, in particular, the failure of banks (not ISPs, customer site admins, or customers, as these groups have little or no control over the security measures employed by the bank) to successfully leverage these and other technologies to protect their customers against fraud.

No can do. Some, if not most, ISP ToU contracts (Comcast does for certain) state quite specifically that you are not allowed to specify an IP address, that they will provide you one. In other words, you MUST use DHCP.

Obviously, but this has less to do with terms of use than network design and plain common sense — each device needs an IP address in a particular subnet that doesn't conflict with any other devices on this subnet, and DHCP is the mechanism employed to ensure this. I believe what the other poster was suggesting was that you need not use the DHCP-supplied DNS server IP addresses, which is true. I've run named on a pair of my own systems for as long as I can remember, in the traditional "root hints" configuration rather than via forwarding, and doing so causes no problems whatsoever with either my cable modem or its terms of service.

To clarify the role of DHCP: DNS server addresses are suggested to the DHCP client running on the "outside" port on my NAT router, but they're totally ignored, as the NAT router (nothing fancy, just a bog-standard AirPort Extreme Base Station) is configured both to offer the addresses of my internal DNS servers via the DHCP server listening on "internal" ports, and to use the same internal DNS servers itself.

My mother-in-law was the victim of a similar hacking job a couple of years ago which targeted the ancient DSL modem that AT&T saddled her with and would not even point us to firmware upgrades. The modem handled validation and login for her DSL account, and the hacker got these credentials from the modem, then proceeded to add multiple mail accounts to her account, spam the world, and eventually lock her out of her own account with a password change.

AT&T, true to form, denied all wrongdoing and gave us an enormous amount of trouble just to reset the password on the account to something long and random. When we did, it was hacked again almost immediately - which was how I figured out it was the modem (my mother-in-law was running Ubuntu at the time). The solution was simple, and probably still applies. We reset the modem to passthrough mode and used a second, more secure, router for firewall and router. You could do the same by setting up a PPPoe network connection on your computer, but your firewall may not be as good. Problem solved.